JWT inspector
Paste any JWT. We never send it to a server — decoding happens entirely in your browser.
Want to attack a verifier? The JWT forging workbench mints a real RS256 token with an in-browser keypair, then runs four CVE-class forgeries (alg=none, RS→HS confusion, kid traversal, tamper-no-resign) against a configurable verifier so you can see exactly which defense stops which attack.